Cloud Security

Introduction

Cloud security deals with the processes, policies, resources, and technologies involved in keeping
cloud computing architectures protected from cybersecurity threats and risks. Effective cloud
security measures aim to keep cloud data, applications, and services shielded against new and
existing threats via proper controls and solutions. Cloud security can be achieved via the shared
responsibility model, wherein both cloud service providers (CSPs) and cloud customers have their
own aspects that they would need to manage and secure.
Cloud Deployment Model

A cloud deployment model is a specific configuration of environment parameters such as the

accessibility and proprietorship of the deployment infrastructure and storage size. This means that
deployment types vary depending on who controls the infrastructure and where it’s located.

1. Public Cloud:
Public clouds are available to the general public, and data are created and stored on third-party
servers.
Server infrastructure belongs to service providers that manage it and administer pool resources,
which is why there is no need for user companies to buy and maintain their own hardware. Provider
companies offer resources as a service both free of charge or on a pay-per-use basis via the Internet.
Users can scale resources as required.
The public cloud deployment model is the first choice for businesses with low privacy concerns.

For example: Amazon Elastic Compute Cloud (Amazon EC2 — the top service provider according
to ZDNet), Microsoft Azure, Google App Engine, IBM Cloud, Salesforce Heroku and others.

The Advantages of a Public Cloud

 Hassle-free infrastructure management. Having a third party running your cloud
infrastructure is convenient: you do not need to develop and maintain your software because
 the service provider does it for you. In addition, the infrastructure setup and use are
uncomplicated.
 High scalability. You can easily extend the cloud’s capacity as your company requirements
increase.
 Reduced costs. You pay only for the service you use, so there’s no need to invest in
hardware or software.
 24/7 uptime. The extensive network of your provider’s servers ensures your infrastructure is
constantly available and has improved operation time.

The Disadvantages of a Public Cloud

 Compromised reliability. That same server network is also meant to ensure against failure
But often enough, public clouds experience outages and malfunction, as in the case of the
2016 Salesforce CRM disruption that caused a storage collapse.
 Data security and privacy issues give rise to concern. Although access to data is easy, a
public deployment model deprives users of knowing where their information is kept and
who has access to it.
 The lack of a bespoke service. Service providers have only standardized service options,
which is why they often fail to satisfy more complex requirements.

2. Private Cloud

A company owns a private cloud as their architectures are very similar of a public cloud.
The server can be hosted externally or on the premises of the owner company. Regardless of their
physical location, these infrastructures are maintained on a designated private network and use
software and hardware that are intended for use only by the owner company.
A clearly defined scope of people have access to the information kept in a private repository, which
prevents the general public from using it. In light of numerous breaches in recent years, a growing
number of large corporations has decided on a closed private cloud model, as this minimizes data
security issues.
Compared to the public model, the private cloud provides wider opportunities for customizing the
infrastructure to the company’s requirements. A private model is especially suitable for companies
that seek to safeguard their mission-critical operations or for businesses with constantly changing
requirements.
Multiple public cloud service providers, including Amazon, IBM, Cisco, Dell and Red Hat, also
provide private solutions.
Advantages:

 Flexible development and high scalability, which allows companies to customize their
infrastructures in accordance with their requirements
 High security, privacy and reliability, as only authorized persons can access resources

Disadvanatages:

The major disadvantage of the private cloud deployment model is its cost, as it requires
considerable expense on hardware, software and staff training. That is why this secure and flexible
computing deployment model is not the right choice for small companies.

3. Community Cloud

A community deployment model largely resembles the private one; the only difference is the set of
users. Whereas only one company owns the private cloud server, several organizations with similar
backgrounds share the infrastructure and related resources of a community cloud.
If all the participating organizations have uniform security, privacy and performance requirements,
this multi-tenant data center architecture helps these companies enhance their efficiency, as in the
case of joint projects. A centralized cloud facilitates project development, management and
implementation. The costs are shared by all users.
Advantages:

 Cost reduction
 Improved security, privacy and reliability
 Ease of data sharing and collaboration

Disadvantages:

 High cost compared to the public deployment model

 Sharing of fixed storage and bandwidth capacity
 Not commonly used yet

4. Hybrid Cloud

A hybrid cloud encompasses the best features of the abovementioned deployment models (public,
private and community). It allows companies to mix and match the facets of the three types that best
suit their requirements.

A company can balance its load by locating mission-critical workloads on a secure private cloud
and deploying less sensitive ones to a public one. The hybrid cloud deployment model not only
safeguards and controls strategically important assets but does so in a cost- and resource-effective
way. This approach facilitates data and application portability.
Advantages:

 Improved security and privacy

 Enhanced scalability and flexibility
 Reasonable price
The following comparative analysis provides the best to facilitate a choice of a deployment model.

Concerns Public Private Community Hybrid

Requires IT Requires IT Requires IT
Ease of setup and use Easy
proficiency proficiency proficiency
Data security and Comparatively
Low High High
privacy high
Little to Comparatively Comparatively
Data control High
none high high
Comparatively
Reliability Low High High
high
Scalability and
High High Fixed Capacity High
flexibility
Cheaper than a
Cost-intensive; the Cost is shared
The private model but
Cost-effectiveness most expensive among community
cheapest more costly than a
model members
public one
Demand for in-house
No Depends Depends Depends
hardware
Cloud Service Models

Cloud computing services offer shared resources such as servers, databases, and networks via the
internet. Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service
(PaaS) are the three service models of cloud computing, each built to address specific business
requirements.

IaaS:

Security Concerns

Information Security Goals:

CIA Triad - A security framework for an information system has three primary goals:
Confidentiality, Integrity, and Availability of physical and logical resources.

Confidentiality - Provides required secrecy of information. It ensures that only authorized

users have access to data (information)

Integrity - Ensures that unauthorized changes to data are not allowed.

Availability - Ensures that authorized users have reliable and timely access to data.
AAA - The security framework for an information system should provide authentication
capabilities. Auditing assesses the effectiveness of security mechanisms.
Primary goals are: Authentication, Authorization, and Auditing.

Authentication - Is a process to ensure that user’s credentials are genuine. It ensures that no
illegitimate access is allowed. A special method for authentication is
Multi-factor authentication.

Authorization - Is a process to give specific access rights to a user to resources. It defines

the scope of the access rights of a user on a resources.
For example: read-only access or read-write access.

Auditing - Is a process to evaluate the effectiveness of security enforcement mechanisms.

Trusted Computing Base (TCB) - Defines boundary between security-critical and non-critical
parts of an information system. TCB of an information system is the set of all components that are
critical to its security. Vulnerabilities occurring inside the TCB might jeopardize the security of the
entire system.

Primary goals are: Careful design and implementation of a system’s TCB can significantly improve
its overall security.

Encryption - It is the process of converting data to a form which cannot be used in any
meaningful way without special knowledge.

Encryption is a key technique to provide confidentiality and integrity of data.

- The unencrypted data is called Cleartext or Plaintext. The encrypted data is called

Ciphertext.

Decryption is the process of converting the encrypted data back to its original form is called
decryption.

- Both encryption and decryption require keys (special knowledge).

* Keys for encryption and decryption can be the same (Symmetric-Data) or different
(Asymmetric-Web browser, Web Server, VPN, Symmetric Key Transmission).

Primary goals are: Confidentiality, Privacy, and Integrity.

Defense-in-Depth - “A mechanism which uses multiple security measures, to reduce the risk of
security threats if one component of the protection gets compromised”.

DID is also known as a “Layered Approach” to security.

Primary goals are: Physical Security, Remote Access Control, Network Security, Computer
Security, Storage Security.
Ex: Antivirus software installed on individual VM when there is already a Virus protection on the
firewalls within same environment.

Different security products from multiple vendors may be deployed to defend different potential
vulnerable resources within the network.

This layered approach reduces the scope of a security breach.

However, the overall cost of deploying defense-in-depth is often higher, compared to single layered
security mechanisms.

Security Infrastructure as a Platform as a Service Software as a

Services / Cloud Service (IaaS) (PaaS) Service
Delivery Models (SaaS)
1. Confidential Non 1. Encrypt sensitive data 1. Routinely scan for
Disclosure Agreement is at rest by using Service vulnerabilities and
signed by each employee Certificate. deviation from the
with penalty clauses in 2. Routinely scan for approved
case of breach of contract. vulnerabilities and configuration.
2. No access of personal deviation from the 2. Identity sensitive
Emails and File approved configuration. data and enforce
Confidentiality transferring platforms. 3. Enforce strong stringent policies on
3. No provision for the password policies and its usage and access.
personal electronic device multifactor 3. Enforce strong
to the system. authentication. password policies
and multifactor
authentication.
4. Policies for access
control.
Integrity 1. Digital environment and 1. Validate TLS/SSL 1. Data should be
restricted printing access. certificates. recorded by the
2. Regular performance of 2. Implement role-based subject who performs
security audits. access controls. Role- the task. It is
3. SSL secure network and based identity and access important to
electronic locks on every management helps to document this action
access. ensure developer and to enable full
4. Regular virus other user access to the transparency and
assessment through Anti- resources and tools they traceability.
virus system. need, but not to other 2. Data must be
resources. accurately recorded.
3. Monitoring and Log Therefore, educating
what the user are doing staff about the
with their rights as well importance of
as activities on the files. following approved
This looks for issues procedures prior to
such as suspicious recording their
access, modifications, actions is essential to
unusual downloads or achieve data
uploads, etc. integrity.
Availability 1. Proper power backup 1. Monitor performance 1. Set up database
and disaster management metrics for potential mirroring,
system. Denial-of-Service master/slave
 2. Running mirror servers conditions. Implement configurations,
in case of cyber incident. connection filters. and/or priming to
3. Regular backups of data 2. Automate backups so ensure data
and uploading at the cloud that the data is ready availability and
servers. whenever disaster minimum downtime.
4. Two physical backups strikes. 2. Maintain sufficient
in the premise and one 3. Set up auto-scalling, capacity to absorb
outside of the premise in so that the application zone or cloud
case of cyber incident. can respond to dynamic failures, using
traffic patterns based on reserved instances if
a set of performance necessary.
metrics. 3. Automate backups,
so that the data is
ready whenever
disaster strikes.
1. Use of dedidcated 1. Implementation of 1. Personally
VLANs leveraging role-based access Identifiable
auotmated access control controls. Information (PII)
lists (ACLs). 2. Access control policy encryption of
2. Access to the hypervisor related to the replicated personal data to the
should be restricted to data in other PaaS entire organization
authorized cloud providers should be and which allows
administrators only. synchronized only users with the
3. A service level accordingly based on an right permissions to
agreement should be AC policy in the central see decrypted data.
designed to include system. 2. Network
appropriate control to 3. A centralized restriction restricting
secure external architecture for access the
interoperations. provisioning and application for all
enforcement of access users who do not
Access Control policies governing belong to defined list
access to all of subnets.
microservices is required 3. Attribute based
due to the sheer number access control
of services needed for (ABAC) and
service composition to Attributed based
support real world encryption (ABE)
business transactions. schemes should be
used to control
access to SaaS data,
since these schemes
can use the identity
of users through
attributes to manage,
encrypt, and decrypt
application data.
Defense In Depth 1. Different security 1. Deployment of nested 1. Ensure individual
products from multiple firewalls, antivirus server performance
vendors may be deployed software, and intrusion and uptime.
to defend different detection tools. 2. Verify the
potential vulnerable 2. Deployment of user effectiveness of
resources within the authentication controls security controls and
 network. and fail-over compliance.
2. Antivirus software mechanisms. 3. Maintain a smooth
installation on individual 3. Deployment of user experience.
VM apart from a virus various integrity and
protection on the firewalls confidentiality controls.
within the same
environment.
Authentication 1. User have full access to 1. Advanced features are 1. Proper session
storage and network. restricted, without proper authentication, token
Therefore, proper authentication. verification to verify
authentication needed. 2. It provides real time identity.
2. MFA shall be used. protection with the help 2. Nothing is
of tools. managed by us. So
important to take
care.
3. If authentication is
breached, direct
database is available.
1. Users have complete 1. Restrict services and 1. A privacy policy to
access, so proper privacy information, each user address the type of
policies should be can access. data collected, data
implemented. 2. User access to only usage compliance,
2. Config files and other allowable areas. and also regarding
Privacy confidential files must not 3. No access to admin disclosure of data to
be available to any scripts. third parties.
unauthorized users. 2. Meet the high
standard data privacy
regulations of the
GDPR.
1. Biometric and other 1. Proper log 1. Identifies any kind
secure means to be maintenance should be of tamparing.
adopted to enforce Non- adapted and 2. Cookies, Session
Non-Repudiation Repudiation. continuously monitored. authentication,
2. Users use shared credentials are
platforms, so logs are important steps.
important.
Least Privilege 1. Identity and access 1. Identify roles and 1. Design a flexible
management. responsibilities for team or real-time
2. Network access / members requiring mechanism for
Segmentation. access to the cloud assigning and
3. Usage and Management infrastructure. revoking privileges
from Cloud Security 2. Determine the type of to maintain the
Posture Management network access needed. usability of the SaaS
(CSPM). 3. Evaluate IAM roles service.
and privilege 2. Accessing data
assignments and should risk and detecting
monitor the cloud control exceedingly liberal
plane. account permissions
using CSPM.
3. CSPM could also
be used for
 compliance
assessment,
operational
monitoring, DevOps
integrations, risk
visualization caused
by various privilege
escalations.

1.1. Security Concepts:

a. Explain the security concepts in Cloud Deployment models (Public, Private, Community,
Hyberid).

b. Illustrate the security concepts in Cloud Service models (IaaS, PaaS, SaaS).

1.2 Cryptographic Systems:

a. Explain and implement RSA public-key cryptography with an example.

b. Explain the public-key infrastructures with neat diagrams.

c. Demonstrate the X.509 certificate generation and usage with Banking system interactions.

2.1 Virtulization System Security Issues:

a. Illustrate the ESX file system security and storage considerations.

b. Explain the operations for the VM backup and recovery system with neat diagram.

2.2 Virtualization System Vulnerabilities:

a. Classify the classes of Virtual Machine Vulnerabilities and its prevention techniques.

3.1 Virtualization System Specific Attacks:

a. Illustrate any two specific attacks on Virtualized System with an example.

b. Explain the root kit level attack with neat diagram.